@@ -48,6 +48,7 @@ You might think: "WTF!? Do I need to register a user and password blah, blah". F
Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "camp/camp" or "guest/guest" as "username/password".
### Client Settings
Also see [here](network_dot1x_settings.md) for a list of OS-specific client settings.
Make sure you check the certificate in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [here](network_dot1x_certificate.md) for the complete certificate.
If you don't want to use the app, download the [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem), and [install it](https://support.google.com/pixelphone/answer/2844832) into your device's **Wi-Fi certificate** store, giving it any name you like. Then connect to the **Camp2023** network using the following information:
* EAP method: TTLS *(not TLS)*
* CA certificate: *(whatever name you gave the ISRG Root X1)*
* Domain: radius.c3noc.net
* Identity: camp
* Password: camp
It's fine to leave **Online Certificate status** as "Do not validate", and leave the **Anonymous identity** blank.
## Linux, etc.
### Network Manager
You can use the following config file:
Please note that some versions of NM are buggy and will only work with 802.1X using MSCHAPv2, or not at all. If that affects you, it may be easiest to use wpa_supplicant.
/etc/NetworkManager/system-connections/Camp2023:
Hint: chmod 600 this file to make the connection work.
```
[connection]
id=Camp2023
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=
[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=Camp2023
[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=
[802-1x]
altsubject-matches=DNS:radius.c3noc.net
ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem
eap=ttls;
identity=camp
password=camp
phase2-altsubject-matches=
phase2-auth=pap
[ipv4]
dns-search=
method=auto
[ipv6]
dns-search=
method=auto
```
### WiCD
You need an additional crypto setting for WiCD. Put this file into /etc/wicd/encryption/templates/eap-ttls (debian systems, might be different with other *nix flavours):
```
name = EAP-TTLS Camp2023
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="Camp2023"
scan_ssid=$_SCAN
identity="camp"
password="camp"
proto=WPA2
key_mgmt=WPA-EAP
group=CCMP
pairwise=CCMP
eap=TTLS
ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
altsubject_match="DNS:radius.c3noc.net"
anonymous_identity="$_ANONYMOUS_IDENTITY"
phase2="auth=PAP"
#priority=2
}
```
Edit /etc/wicd/encryption/templates/active to include the eap-ttls config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS Camp2023) and enter a random username/password.
### Jolla/connman
/var/lib/connman/Camp2023wifi.config :
```
[service_Camp2023]
Type=wifi
Name=Camp2023-legacy
EAP=ttls
Phase2=PAP
Identity=camp
Passphrase=camp
```
### wpa_supplicant
This is the default option on Raspberry Pi OS. Edit /etc/wpa_supplicant/wpa_supplicant.conf and add the network:
```
network={
ssid="Camp2023"
key_mgmt=WPA-EAP
eap=TTLS
identity="camp"
password="camp"
# ca path on debian 7.x and raspberry pi OS, modify accordingly
ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
altsubject_match="DNS:radius.c3noc.net"
phase2="auth=PAP"
}
```
### Interfaces
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:
* Open a command prompt and execute: netsh wlan add profile filename=Camp2023.xml
* Connect to the Camp2023 network; use "camp/camp" as the username/password when prompted. Alternatively, use "outboundonly/outboundonly" as the username/password to enable inbound traffic firewalling.
